OAuth
Device code phishing attacks surge 37x as new kits spread online
Device code phishing attacks that abuse the OAuth 2.0 Device Authorization Grant flow to hijack accounts have surged more than 37 times this year. In this type of attack, the threat actor sends a device authorization request to a service provider and receives a code, which is sent to the victim under various pretexts. Next, the […]
Microsoft: Hackers abuse OAuth error flows to spread malware
Hackers are abusing the legitimate OAuth redirection mechanism to bypass phishing protections in email and browsers to take users to malicious pages. The attacks target government and public-sector organizations with phishing links that prompt users to authenticate to a malicious application, Microsoft Defender researchers say. with e-signature requests, Social Security notices, meeting invitations, password resets, […]
Hackers target Microsoft Entra accounts in device code vishing attacks
Threat actors are targeting technology, manufacturing, and financial organizations in campaigns that combine device code phishing and voice phishing (vishing) to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts. Unlike previous attacks that utilized malicious OAuth applications to compromise accounts, these campaigns instead leverage legitimate Microsoft OAuth client IDs and the […]
Microsoft 365 accounts targeted in wave of OAuth phishing attacks
Multiple threat actors are compromising Microsoft 365 accounts in phishing attacks that leverage the OAuth device code authorization mechanism. Attackers trick victims into entering a device code on Microsoft’s legitimate device login page, unknowingly authorizing an attacker-controlled application and granting them access to the target account without stealing credentials or bypassing multi-factor authentication (MFA). Although the […]
New ConsentFix attack hijacks Microsoft accounts via Azure CLI
A new variation of the ClickFix attack dubbed ‘ConsentFix’ abuses the Azure CLI OAuth app to hijack Microsoft accounts without the need for a password or to bypass multi-factor authentication (MFA) verifications. A ClickFix attack is a social engineering technique that attempts to trick users into running commands on their computer to install malware or steal data. […]
New CoPhish attack steals OAuth tokens via Copilot Studio agents
A new phishing technique dubbed ‘CoPhish’ weaponizes Microsoft Copilot Studio agents to deliver fraudulent OAuth consent requests via legitimate and trusted Microsoft domains. The technique was developed by researchers at Datadog Security Labs, who warned in a report earlier this week that Copilot Studio’s flexibility introduces new, undocumented phishing risks. Although CoPhish relies on social […]
Google warns Salesloft breach impacted some Workspace accounts
Google now reports that the Salesloft Drift breach is larger than initially thought, warning that attackers also used stolen OAuth tokens to access a small number of Google Workspace email accounts in addition to stealing data from Salesforce instances. “Based on new information identified by GTIG, the scope of this compromise is not exclusive to […]
Salesloft breached to steal OAuth tokens for Salesforce data-theft attacks
Hackers breached sales automation platform Salesloft to steal OAuth and refresh tokens from its Drift chat agent integration with Salesforce to pivot to customer environments and exfiltrate data. Salesloft’s SalesDrift is a third-party platform that connects the Drift AI chat agent with a Salesforce instance, allowing organizations to sync conversations, leads, and support cases into […]
Hackers abuse OAuth 2.0 workflows to hijack Microsoft 365 accounts
Russian threat actors have been abusing legitimate OAuth 2.0 authentication workflows to hijack Microsoft 365 accounts of employees of organizations related to Ukraine and human rights. The adversary is impersonating officials from European countries and contact targets through WhatsApp and Signal messaging platforms. The purpose is to convince potential victims to provide Microsoft authorization codes that […]
Fake “Security Alert” issues on GitHub use OAuth app to hijack accounts
A widespread phishing campaign has targeted nearly 12,000 GitHub repositories with fake “Security Alert” issues, tricking developers into authorizing a malicious OAuth app that grants attackers full control over their accounts and code. “Security Alert: Unusual Access Attempt We have detected a login attempt on your GitHub account that appears to be from a new […]